Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Moving the Needle on ICS Cybersecurity Through IT/OT Collaboration

As manufacturing and critical infrastructure organizations grapple with ICS cybersecurity concerns, one of the most crucial factors for improvement has nothing to do with technology. Instead, it's all about building a collaborative culture within the IT and OT stakeholders.

The more mutual respect and cooperation fostered between the two parties, the easier it will be for the collective team to build an effective ICS cybersecurity program. Lessons learned from the long history of IT cybersecurity evolution can be custom-tailored to the OT operating environment's unique considerations. Establishing the footing for this kind of relationship all starts at the discovery and assessment stage.

In a previous blog post, I already discussed how IT security people can often shoot themselves in the foot when trying to gain buy-in from their OT peers about taking action on ICS security risks. IT cybersecurity veterans frequently believe that their years of experience translates directly to the OT world without first taking the time to fully understand the core mission and exigencies unique to the ICS environment.

So, what do IT teams need to avoid these missteps and, even better, start moving the needle on OT cyber risks? The key is not only lots of listening and empathy-building exercises but also taking the time to get into the weeds and fully understand the technical underpinnings of how the organization's OT systems work. Having a comprehensive view of the unique mission, systems, threats, and impacts for that ICS environment and the various vendor or business considerations must be taken into account as the team moves forward.

Through this discovery process, the IT team has an excellent opportunity to educate the OT team on why they need more visibility into the ICS environment's risk posture and how they might help them. Conversely, the OT team can help the IT team understand and appreciate the challenges they face and create a realistic plan that works for the business stakeholders overall.

IT leaders are usually called upon to drive this process's initiation, so they need to keep in mind that early on, there should be no expectations for actions just yet. And in some cases—especially if OT engineers are skittish at first due to previous negative interactions with IT—this process may even need to start as an informal meeting of the minds over a friendly shared box of donuts.

However one chooses to begin the process, discovery should help the joint IT/OT team understand and eventually document:

ICS System Architecture

Together the IT/OT teams should work to gain a shared view of how the overall system is architected, any special configuration requirements, and why it was created the way it was. If your organization had to rebuild this OT environment from scratch, what would that look like? Where would that configuration information come from? How much of the details are missing from documentation today? It will often quickly become apparent that neither party has a solid understanding of those details.

Vendor Relationship Status

Similarly, the team should get documentation together to establish all of the vendors installed within the environment, the Service Level Agreements, and the contractual restrictions that OT teams are working under to make the system function at optimal levels. Additionally, the team should be able to put down in writing who specifically at each vendor has remote access to the system and who is available to provide immediate help in the event of a cybersecurity incident.

Business Priorities

Ideally, the IT/OT team should also be making overtures to business stakeholders to discover the critical business missions that OT support, which will help prioritize the security roadmap and operations in the near- and long-term future. It is essential to have competent IT and OT people working together who have a keen understanding of the language and a core passion for the mission they are responsible for to appropriately advise the business.

Visibility Gaps

Finally, together the collaborative team should start figuring out where their most significant visibility gaps lie when it comes to identifying threats operating within their systems. Perhaps a cybersecurity skills gap exists. By leveraging the IT team to create more experts in-house and developing some cybersecurity champions within the ICS environment, that gap is reduced over time.

 

It is essential to understand that this process is an endless journey; IT and OT should consistently help each other with their respective education and visibility gaps concerning the most prevalent threats targeting their organizational environments. The ultimate goal for any organization is to effectively leverage their people, processes, and technology to reduce the risk to the stakeholders' acceptable level adequately. What people, process, and technology are selected will differ from IT to OT, and that is okay, because their mission, systems, threats, and impacts are different.

When establishing a baseline for these three resource requirements, ensure that in the end, they are well-suited to support the various networks, systems, applications (protocols), and have the appropriate context to be effective. For example, it is unfair to expect a single person to possess a competent level of skill in cybersecurity, engineering, automation, and IT, and the same can be applied to processes and technology as well. Finding the appropriate balance and structure within those resources will help everyone put their heads together to start prioritizing the most relevant risks to the business and adequately supporting the OT environment.

 

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Joshua Carlson, Dragos
Joshua Carlson, Dragos
Joshua Carlson is the senior business development manager at Dragos.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM